For more of the e-mail thread, see Sverdlik's post Why I lost all respect for ISC2.

From: Dorsey Morrow (domorrow@isc2.org)
Date: Tue, May 24, 2011 at 9:49 AM
Subject: Inappropriate content
To: "bsverdlik@gmail.com" (bsverdlik[at]gmail.com)

Boris,

Your posting (see below) was brought to the attention of several members of
the (ISC)² Board of Directors.  It is their opinion that your posting to
that link might appear to support the social engineering position made by
the author of the article.  Without any commentary, it is hard to draw any
other conclusion.  This would be in contravention of the (ISC)² Code of
Ethics and could be the basis for a breach of the code.  I would suggest you
clarify on that forum why you posted the link and that you do not condone
the action stated by the author.

Best regards,

Dorsey Morrow, CISSP®-ISSMP®
(ISC)²® General Counsel
*Security Transcends Technology®
(P) +1.334.270.0501
(F) +1.888.290.2144
domorrow@isc2.org
[image: (ISC)2]
*Connect with us!*
[image: intersec] 
*InterSeC:*  www.isc2intersec.com
[image: twitter] 
*Twitter:*  https://twitter.com/isc2
[image: youtube] 
*YouTube:*  http://www.youtube.com/isc2tv

From: Boris Sverdlik (bsverdlik[at]gmail.com)
Date: Tue, May 24, 2011 at 10:31 AM
Subject: Re: Inappropriate content
To: Dorsey Morrow (domorrow@isc2.org)

Dorsey,

I am the author of the article and Part 1 clearly states that one of the
services I provide is Information Security Awareness training to protect
organizations from these types of attacks. Please help me understand how is
this different from a Malware researcher providing a dissection of an
attack?

I don't support any tactics and/or methodologies used in a malicious way,
however that doesn't inherently mean I will not share the methodologies. Do
we as information security professionals seriously believe that security
through obscurity works?

Regards,

Boris

From: Dorsey Morrow (domorrow@isc2.org)
Date: Tue, May 24, 2011 at 10:52 AM
Subject: RE: Inappropriate content
To: Boris Sverdlik (bsverdlik[at]gmail.com)

Boris,

I must start by saying that we don?t necessarily condone a Malware
researcher providing a dissection of an attack;  at least not without
notifying the appropriate parties affected first and providing ways to
mitigate.  The way the article was written it uses words such as "your
target", "short con" (I presume the negative connotation of "confidence", as
in "con man"), and "how much time you focus on the attack", instead of "how
to defend an attack" or "how to identify such an attack".  I also noted the
tags included "hacking", "manipulate", and "social engineering".   This
reads more like a "how-to" article for 2600 than an advisory article for
professionals defending against such attacks.

I would suggest that the article be rewritten in the context of how to
defend and/or mitigate these issues.  As you have adroitly stated, "if
security professionals aren't aware of these methodologies then frankly they
should not be in the industry."  So then, why publish this so that others
become aware of these methodologies and use them against employers/infosec
professionals?

I hope you understand the concern over publishing such articles and the
reflection it has on the profession.  Our job is to prevent such attacks,
not provide the tools to commit them.  While we want infosec professionals
to be aware, we must do so from the perspective of how to identify and
defend.

Best regards,

Dorsey Morrow, CISSP®-ISSMP®
[Huge sig block removed]

From: Boris Sverdlik (bsverdlik[at]gmail.com)
Date: Tue, May 24, 2011 at 11:07 AM
Subject: Re: Inappropriate content
To: Dorsey Morrow (domorrow@isc2.org)

Dorsey,

It was written as a how to because I'm presenting the information at
security conferences which target the types of candidates that I would hire,
ones that keep up to date with all threat vector. The security awareness
training services I offer demonstrates how to identify and stop these
attacks.

Malware researchers (not malicious attackers) spend countless hours
dissecting code because security professionals charged with protecting their
organizations fail to implement proper vetting procedures. They fail because
in some cases they hired someone based on a credential who is only
knowledgeable in what the crash class for the certification had taught him.

Am I too believe ISC2 is ok with a public image that does not support DefCon
and/or Blackhat? If that is the case, we shall continue to see failures such
as Sony if we do not arm ourselves with the same information available to
malicious attackers. This article was put together originally to sell my
Security Awareness Program.


From: Dorsey Morrow (domorrow@isc2.org)
Date: Tue, May 24, 2011 at 11:26 AM
Subject: RE: Inappropriate content
To: Boris Sverdlik (bsverdlik[at]gmail.com)

Boris,

Indeed (ISC)² does not condone or participate in Blackhat or Defcon.
However, this does not logically conclude that this contributes to
security failures such as Sony.  To make such an argument means that
we only find current and relevant infosec information at those venues,
which is not true.  While we do not condone or participate, neither do
we prohibit members from attending if they believe it provides them an
opportunity to learn, so long as they are not associating with or
supporting criminal or unethical behavior typically associated with
those venues.  Nevertheless, that is not what is at issue.   Of
concern, is that the article is written as a ?how to? for criminal
behavior, not how to defend for professionals.  I am not going to
belabor the issue with you.  I am simply going to suggest that you may
be subject to a Code of Ethics complaint based on the content as
presented in the article and would strongly urge that you rewrite to
be more fitting for an infosec professional.

Best regards,

Dorsey Morrow, CISSP®-ISSMP®




On Fri, Jul 1, 2011 at 12:01 PM, Dorsey Morrow (domorrow@isc2.org) wrote:

Boris,

You are in breach of the Logo Usage Guidelines you agreed to abide by when you 
applied to sit for the CISSP exam.  Please note that (ISC)² and CISSP are 
registered marks in the EU.  You are directed to remove 
http://jadedsecurity.net/2011/06/30/do-it-for-the-kittens/  and the graphic 
stating "(ISC)² Sucks" on 
http://jadedsecurity.net/2011/06/30/what-the-cissp-won%e2%80%99t-teach-you-part-deux/.

Failure to abide by this directive will result in an immediate ethics complaint 
requesting decertification and (ISC)² considering all legal remedies to protect 
its intellectual property.

Govern yourself accordingly,

Dorsey Morrow, CISSP®-ISSMP®


From: Boris Sverdlik (bsverdlik[at]gmail.com)
Sent: Friday, July 01, 2011 11:17 AM
To: Dorsey Morrow (domorrow@isc2.org)
Subject: Re: Improper use of the CISSP mark

Dorsey,

While I appreciate the attempt at selective enforcement of ethics
violations, i'd like to refer you to the definition of a logo
http://definitions.uslegal.com/c/corporate-logo/

I in no way used the logo (ISC)2 in any of my artwork. In terms of
usage of the CISSP (trademark), Copyright law Section 107 provides
that "the fair use of a copyrighted work . . . for purposes such as
criticism [or] comment . . . is not an infringement . . . ,''. But it
requires a case-by-case analysis rather than "bright-line rules".

If you'd file an ethics claim, I'm ok with having my attorney put
together a formal response citing hundreds of similar articles and
pieces written by holders of the certification
(http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=cissp+sucks)

Regards,
Boris


On Fri, Jul 1, 2011 at 12:24 PM, Dorsey Morrow (domorrow@isc2.org) wrote:

Boris,

No, but you did use our EU registered trademarks in a disparaging manner, 
which is governed by EU law.  US copyright law doesn't apply because (1) we 
are talking trademarks, not copyright; and, (2) you aren't residing in the US.

As you wish on the ethics portion.  Remember, there may be hundreds, if 
not thousands, of "similar articles and pieces written by holders of the 
certification".  As I am sure your attorney will tell you, whether I get to 
them or not is irrelevant in a response.  Same reasoning a police officer will 
ticket you even if you claim others are speeding as well.   I am focusing on 
your actions.

Respectfully,

Dorsey Morrow, CISSP®-ISSMP®


From: Boris Sverdlik (bsverdlik[at]gmail.com)
Sent: Friday, July 01, 2011 11:28 AM
To: Dorsey Morrow (domorrow@isc2.org)
Subject: Re: Improper use of the CISSP mark

Dorsey,

I appreciate your concerns, but I do reside in the US, the Server
resides in the US. The more public we make selective enforcement, the
more public ISC2 claim of absolute competence will be scrutinized. I
have not violated anything in terms of your ethics statement,
especially conflict of interest which is one I take very personally.


On Fri, Jul 1, 2011 at 12:50 PM, Dorsey Morrow (domorrow@isc2.org) wrote:

Boris,

Excellent.  My apologies.  I thought you were in the EU.  This makes things 
far easier.

Rather odd you are claiming "selective enforcement".  I can document extensive 
litigation (which we have all won), regarding misuse of (ISC)² marks.  Can we 
get them all, not a chance, but we do pursue. However, the law doesn't require 
that I pursue every one of them or even document, as selective enforcement is not 
a defense.

Simply pull up the first article "Do you still value your CISSP?" on your 
proposed Google search and read the last paragraph.  He makes a good argument.

I consider the discussion closed.  You can have your say about thinking the 
CISSP you hold  is not worthwhile, but the Logo Usage Guidelines that you agreed 
to be bound by govern your actions and are part of the contract you executed.  
Failure to remove the images will result in an ethics complaint and (ISC)² 
considering all remedies.

Respectfully,

Dorsey Morrow, CISSP®-ISSMP®


From: Boris Sverdlik (bsverdlik[at]gmail.com)
Date: Fri, Jul 1, 2011 at 1:01 PM
Subject: Re: Improper use of the CISSP mark
To: Dorsey Morrow (domorrow@isc2.org)

Dorsey,

Your correct as things are far easier. I'm not using the mark nor the
logo, please visit the links you had sent, Thanks.. I specifically say
ISC2 hence no trademark or copyright infringement.

Selective enforcement of ethics violations, not trademark. Please feel
free to bring me up on an ethics violation, I am gathering enough
information on the "Absolute Competency" you asure employers. I'd love
to be able to have that hearing publicly.

Regards,
Boris



Note: On July 5, 2011, Boris Sverdlik gave attrition.org permission to publish these mails.

Copyright 2011 by Brian Martin. Permission is granted to quote, reprint or redistribute provided the text is not altered, appropriate credit is given and a link to the original copy is included.

Should you appreciate the article and feel generous, please donate a couple of bucks to any 501(c)(3) non-profit that benefits animals or computer security on our behalf.


main page ATTRITION feedback